As the role of information systems becomes important in accordance with the development in the information industry, recently, the importance of security management has been increasing. For the security management of such information systems, security risks are analyzed based on, for example, discovery of threats and vulnerability and their occurrence probabilities, security policies are designed, and necessary countermeasures are taken. Regarding implementation of security countermeasures, there is a method for analyzing risks based on whether vulnerability exists or not, vulnerability occurrence frequency, and an asset value as the status of a system in operation (see Patent Literature 1). There is another method for updating a risk value based on an asset value of information and file access information; and executing countermeasure processing such as access limitations if the risk value exceeds a designated threshold (see Patent Literature 2).